Analysis Overview
SHA256
e660768142d773f0116a2f6409af74339bb69b9bba780c3dd342ef70b1920c65
Threat Level: Known bad
The file Malware.zip was found to be: Known bad.
Malicious Activity Summary
Qakbot/Qbot
Program crash
Discovers systems in the same network
Runs net.exe
Suspicious use of AdjustPrivilegeToken
Gathers network information
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V6
Analysis: static1
Detonation Overview
Reported
2023-02-08 20:35
Signatures
Analysis: behavioral1
Detonation Overview
Submitted
2023-02-08 20:35
Reported
2023-02-08 20:45
Platform
win10-20220812-en
Max time kernel
599s
Max time network
593s
Command Line
Signatures
Qakbot/Qbot
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
C:\Windows\system32\cmd.exe /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe putty.jpg,Wind
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe putty.jpg,Wind
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\cmd.exe
cmd /c set
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
C:\Windows\SysWOW64\net.exe
net share
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\netstat.exe
netstat -nao
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| GB | 51.105.71.137:443 | tcp | |
| US | 93.184.221.240:80 | tcp | |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 74.6.143.25:443 | yahoo.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| IE | 87.248.100.216:443 | www.yahoo.com | tcp |
| IE | 87.248.100.216:443 | www.yahoo.com | tcp |
| US | 50.20.171.2:443 | 50.20.171.2 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | evcs-ocsp.ws.symantec.com | udp |
| SE | 23.52.27.27:80 | evcs-ocsp.ws.symantec.com | tcp |
| US | 50.20.171.2:443 | 50.20.171.2 | tcp |
| US | 50.20.171.2:443 | 50.20.171.2 | tcp |
| US | 8.8.8.8:53 | oracle.com | udp |
| US | 138.1.33.162:443 | oracle.com | tcp |
| US | 8.8.8.8:53 | www.oracle.com | udp |
| NL | 23.206.84.89:443 | www.oracle.com | tcp |
| US | 50.20.171.2:443 | 50.20.171.2 | tcp |
Files
memory/4372-116-0x0000000000000000-mapping.dmp
memory/4728-117-0x0000000000000000-mapping.dmp
memory/4728-118-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-119-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-120-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-121-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-122-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-123-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-124-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-125-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-126-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-127-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-128-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-129-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-130-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-131-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-132-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-133-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-134-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-135-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-136-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-137-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-138-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-139-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-140-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-141-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-142-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-143-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-144-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-145-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-146-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-147-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-148-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-149-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-150-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-151-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-152-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-153-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-154-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-155-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-156-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-157-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-158-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-159-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-160-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-161-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-162-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-163-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-164-0x0000000010000000-0x0000000010023000-memory.dmp
memory/4728-169-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-170-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-172-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-171-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-173-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-174-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-175-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-176-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/4728-177-0x0000000002F90000-0x0000000002F93000-memory.dmp
memory/1984-178-0x0000000000000000-mapping.dmp
memory/1984-179-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/1984-180-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/1984-181-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/1984-182-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/1984-183-0x0000000077C40000-0x0000000077DCE000-memory.dmp
memory/3404-197-0x0000000000000000-mapping.dmp
memory/3404-254-0x0000000000370000-0x0000000000393000-memory.dmp
memory/3404-255-0x0000000000370000-0x0000000000393000-memory.dmp
memory/4944-286-0x0000000000000000-mapping.dmp
memory/4400-309-0x0000000000000000-mapping.dmp
memory/4384-315-0x0000000000000000-mapping.dmp
memory/1764-333-0x0000000000000000-mapping.dmp
memory/1468-351-0x0000000000000000-mapping.dmp
memory/2272-382-0x0000000000000000-mapping.dmp
memory/3056-402-0x0000000000000000-mapping.dmp
memory/3888-422-0x0000000000000000-mapping.dmp
memory/2128-438-0x0000000000000000-mapping.dmp
memory/4160-458-0x0000000000000000-mapping.dmp
memory/2952-478-0x0000000000000000-mapping.dmp
memory/4860-499-0x0000000000000000-mapping.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2023-02-08 20:35
Reported
2023-02-08 20:45
Platform
win7-20220812-en
Max time kernel
600s
Max time network
602s
Command Line
Signatures
Qakbot/Qbot
Discovers systems in the same network
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\net.exe | N/A |
Gathers network information
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\ipconfig.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
Runs net.exe
Suspicious behavior: EnumeratesProcesses
Suspicious behavior: MapViewOfSection
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\rundll32.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\netstat.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\SysWOW64\whoami.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\system32\msiexec.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\cmd.exe
cmd /c "C:\Users\Admin\AppData\Local\Temp\RunDLL-1.bat"
C:\Windows\system32\rundll32.exe
rundll32.exe putty.jpg,Wind
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe putty.jpg,Wind
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\wermgr.exe
C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\msra.exe
C:\Windows\SysWOW64\net.exe
net view
C:\Windows\SysWOW64\cmd.exe
cmd /c set
C:\Windows\SysWOW64\arp.exe
arp -a
C:\Windows\SysWOW64\ipconfig.exe
ipconfig /all
C:\Windows\SysWOW64\nslookup.exe
nslookup -querytype=ALL -timeout=12 _ldap._tcp.dc._msdcs.WORKGROUP
C:\Windows\SysWOW64\net.exe
net share
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 share
C:\Windows\SysWOW64\route.exe
route print
C:\Windows\SysWOW64\netstat.exe
netstat -nao
C:\Windows\SysWOW64\net.exe
net localgroup
C:\Windows\SysWOW64\net1.exe
C:\Windows\system32\net1 localgroup
C:\Windows\SysWOW64\whoami.exe
whoami /all
C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | google.com | udp |
| NL | 142.250.179.142:443 | google.com | tcp |
| SA | 2.88.198.90:995 | 2.88.198.90 | tcp |
| US | 8.8.8.8:53 | 8.8.8.8.in-addr.arpa | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | _ldap._tcp.dc._msdcs.WORKGROUP | udp |
| US | 8.8.8.8:53 | crl.microsoft.com | udp |
| NL | 23.72.252.170:80 | crl.microsoft.com | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| NL | 173.223.113.131:80 | www.microsoft.com | tcp |
| US | 8.8.8.8:53 | csc3-2004-crl.verisign.com | udp |
| SA | 2.88.198.90:995 | 2.88.198.90 | tcp |
| SA | 2.88.198.90:995 | 2.88.198.90 | tcp |
| US | 8.8.8.8:53 | www.microsoft.com | udp |
| US | 8.8.8.8:53 | yahoo.com | udp |
| US | 74.6.143.25:443 | yahoo.com | tcp |
| US | 8.8.8.8:53 | www.yahoo.com | udp |
| IE | 87.248.100.216:443 | www.yahoo.com | tcp |
| SA | 2.88.198.90:995 | 2.88.198.90 | tcp |
Files
memory/1648-54-0x0000000000000000-mapping.dmp
memory/956-55-0x0000000000000000-mapping.dmp
memory/956-56-0x0000000076091000-0x0000000076093000-memory.dmp
memory/956-57-0x0000000010000000-0x0000000010023000-memory.dmp
memory/956-62-0x00000000000B0000-0x00000000000B3000-memory.dmp
memory/956-63-0x00000000000B0000-0x00000000000B3000-memory.dmp
memory/1720-64-0x0000000000000000-mapping.dmp
memory/1008-66-0x0000000000000000-mapping.dmp
memory/1008-68-0x0000000000080000-0x00000000000A3000-memory.dmp
memory/1008-69-0x0000000000080000-0x00000000000A3000-memory.dmp
memory/1716-70-0x0000000000000000-mapping.dmp
memory/1580-71-0x0000000000000000-mapping.dmp
memory/832-72-0x0000000000000000-mapping.dmp
memory/1760-73-0x0000000000000000-mapping.dmp
memory/1932-75-0x0000000000000000-mapping.dmp
memory/1500-76-0x0000000000000000-mapping.dmp
memory/1740-77-0x0000000000000000-mapping.dmp
memory/388-78-0x0000000000000000-mapping.dmp
memory/1944-79-0x0000000000000000-mapping.dmp
memory/1208-80-0x0000000000000000-mapping.dmp
memory/2008-81-0x0000000000000000-mapping.dmp
memory/712-82-0x0000000000000000-mapping.dmp
memory/932-83-0x000007FEFBCA1000-0x000007FEFBCA3000-memory.dmp
Analysis: behavioral3
Detonation Overview
Submitted
2023-02-08 20:35
Reported
2023-02-08 20:45
Platform
win10-20220812-en
Max time kernel
375s
Max time network
437s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
| Description | Indicator | Process | Target |
| PID 2208 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
| PID 2208 wrote to memory of 2392 | N/A | C:\Windows\system32\rundll32.exe | C:\Windows\SysWOW64\rundll32.exe |
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 2392 -s 636
Network
| Country | Destination | Domain | Proto |
| US | 52.168.112.66:443 | tcp | |
| US | 93.184.221.240:80 | tcp |
Files
memory/2392-120-0x0000000000000000-mapping.dmp
memory/2392-121-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-122-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-123-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-124-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-125-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-126-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-127-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-128-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-129-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-130-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-131-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-132-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-133-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-134-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-135-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-136-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-137-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-138-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-139-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-140-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-141-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-142-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-143-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-144-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-145-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-147-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-146-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-148-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-149-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-150-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-151-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-152-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-153-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-154-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-155-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-156-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-157-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-158-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-159-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-160-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-161-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-162-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-163-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-164-0x0000000077540000-0x00000000776CE000-memory.dmp
memory/2392-165-0x0000000077540000-0x00000000776CE000-memory.dmp
Analysis: behavioral4
Detonation Overview
Submitted
2023-02-08 20:35
Reported
2023-02-08 20:45
Platform
win7-20221111-en
Max time kernel
391s
Max time network
397s
Command Line
Signatures
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Windows\SysWOW64\rundll32.exe |
Suspicious use of WriteProcessMemory
Processes
C:\Windows\system32\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1
C:\Windows\SysWOW64\rundll32.exe
rundll32.exe C:\Users\Admin\AppData\Local\Temp\putty.dll,#1
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1188 -s 228
Network
Files
memory/1188-54-0x0000000000000000-mapping.dmp
memory/1188-55-0x00000000763D1000-0x00000000763D3000-memory.dmp
memory/1600-56-0x0000000000000000-mapping.dmp